In a striking revelation, cybersecurity experts have unveiled a new botnet operation known as SSHStalker, which employs the Internet Relay Chat (IRC) protocol for its command-and-control (C2) functionality. This discovery not only highlights the evolving tactics of cybercriminals but also raises concerns about the vulnerabilities in legacy systems that are often overlooked.
According to the cybersecurity firm Flare, "The toolset merges stealthy helpers with exploitation techniques from the older Linux era: It includes log cleaners that manipulate utmp, wtmp, and lastlog records, along with rootkit-like elements. The operator has amassed a significant collection of exploits targeting the Linux 2.6.x kernel from around 2009 to 2010, which, although less effective against modern systems, can still successfully target neglected infrastructures and long-tail legacy environments."
SSHStalker operates by combining the mechanics of an IRC botnet with an automated approach to mass-compromise operations. It utilizes an SSH scanner along with other easily accessible scanning tools to identify and infiltrate vulnerable systems, integrating them into its network and connecting them to IRC channels.
What sets SSHStalker apart from similar campaigns is its unusual focus on maintaining long-term access to compromised systems without engaging in typical follow-up activities seen in other botnets, such as launching distributed denial-of-service (DDoS) attacks, proxyjacking, or cryptocurrency mining. Instead, it appears to be preserving these infiltrated systems for possible future use, testing, or strategic staging.
At the heart of SSHStalker is a Golang-based scanner that targets port 22, seeking out servers with open SSH ports to expand its reach in a manner reminiscent of a worm. Additionally, various payloads are deployed, including several types of IRC-controlled bots and a Perl script that connects to a specific UnrealIRCd server. Once connected, these bots join a control channel and await commands, enabling them to execute flood-style traffic attacks and gain control over the other bots within the network.
The operational model of SSHStalker is characterized by its execution of C program files designed to clean SSH connection logs, thereby erasing traces of malicious activity, which minimizes the chances of detection during forensic investigations. To further enhance its resilience, the malware toolkit includes a "keep-alive" feature that ensures the primary malware process restarts within 60 seconds if terminated by security measures.
SSHStalker's approach is particularly noteworthy as it integrates mass compromise automation with a catalog of 16 distinct vulnerabilities affecting the Linux kernel—many dating back over a decade. Some of the specific vulnerabilities exploited by this botnet include CVE-2009-2692, CVE-2009-2698, CVE-2010-3849, CVE-2010-1173, CVE-2009-2267, CVE-2009-2908, CVE-2009-3547, CVE-2010-2959, and CVE-2010-3437.
Flare's investigation into the infrastructure used by the threat actor behind SSHStalker revealed a vast array of open-source offensive tools and previously identified malware samples. These resources include:
- Rootkits designed to enable stealth and persistence
- Cryptocurrency mining tools
- A Python script that runs a binary named "website grabber" to extract exposed Amazon Web Services (AWS) credentials from targeted sites
- EnergyMech, an IRC bot that facilitates command-and-control operations and remote command execution
Interestingly, there are indications that the group behind this operation may have Romanian ties, as evidenced by the use of Romanian-style nicknames, slang, and naming conventions within IRC channels and configuration files. Moreover, there are notable similarities between the operational fingerprints of SSHStalker and a known hacking collective referred to as Outlaw.
As Flare notes, "SSHStalker does not seem to pursue the development of new exploits. Instead, it showcases refined operational control through well-established implementation and orchestration methods. The core bot's low-level components are primarily written in C, while shell scripts handle orchestration and persistence tasks. Limited use of Python and Perl is mainly for auxiliary automation within the attack sequence and managing the IRC bot."
In essence, the operators behind SSHStalker are not venturing into the realm of zero-day exploits or novel rootkits. Rather, they exemplify disciplined operational practices centered on mass compromise workflows, recycling of infrastructure, and maintaining long-term access across a diverse range of Linux environments.
What do you think about the implications of such botnet operations? Are we prepared to address the vulnerabilities of our legacy systems, or are we underestimating the potential risks associated with outdated technology? Share your thoughts in the comments!
